89th Meeting of the GDD ERFA Circle Bavaria

On March 15, 2024, we had the opportunity to participate in the 89th meeting of the Bavarian ERFA Circle of the German Association for Data Protection and Data Security (GDD). The experience exchange groups (ERFA-Circles), organized by members of the GDD, serve as a forum for professionals in the field of data protection to exchange views and experiences.

After Dr. Thorsten Schmiege, the President of the Bavarian Regulatory Authority for New Media (BLM), welcomed the participants at the premises of the BLM, the speakers provided fascinating insights into the work of supervisory authorities and current developments in data protection and IT security law.

Andreas Gummer, the Media Officer for Data Protection, started off with a keynote speech on the legal peculiarities of data protection in the media sector.

Next, Christina Rölz, Data Protection Officer of the Bavarian State Ministry of the Interior for Sport and Integration, presented current legislative procedures in Europe and Germany. As part of the upcoming review in 2024 and 2028, a revision of the GDPR is under consideration. The German Federal Council calls for manufacturer liability for providers of digital products to ensure that products and services can be used by data controllers in compliance with the GDPR without having to adjust the default settings.

Dr. Florian Eisenmenger from Osborne & Clarke introduced the basics of the NIS2 directive, for which we have also set up an information page, and reported on the upcoming Cyber Resilience Act (CRA). The aim of the CRA is to consider and continuously improve cybersecurity throughout the entire lifecycle of products with digital elements. The CRA was approved by the European Parliament on March 12 and still needs to be confirmed by the Council to come into force.

Jonas von Dall'Armi from Giesecke+Devrient then provided a follow-up to his presentation at the last GDD ERFA Circle on possible restrictions on the use of data resulting from the Data Act. Furthermore, he described in detail how the newly regulated switching of cloud providers is to be made possible and which requirements cloud providers must fulfill in this context. The Data Act will be applicable from September 12, 2025.

Finally, Michael Will, the President of the Bavarian State Office for Data Protection Supervision, answered some questions from the participants. He cautioned companies against demanding criminal record certificates from applicants, as this practice is prohibited under Article 10 of the GDPR with only a few exceptions. Regarding the use of log data by software providers for product optimization or improving cybersecurity, he referred to the DSK decision on Microsoft 365.

All presentations were of high quality and the speakers were readily available to answer participants' questions. We are already looking forward to the next GDD ERFA Circle in September!